Staying Compliant by Protecting Patient Data

Is data encryption required under HIPAA privacy regulations?

HIPAA and Email Encryption

HIPAA may be one of the most complex healthcare laws in the last decade. The law is supposed to regulate privacy rules and communication of patient information. But the legislation is still widely misinterpreted by healthcare providers.

The confusion made headlines last year after the terrible Orlando nightclub shooting that left 49 dead and 53 injured. The Orlando Mayor said HIPAA should be waived so hospital officials could share information with families. According to Becker’s Health IT & CIO Review, at least one hospital CEO stated their facility refused to release information to families during the crisis.

But HIPAA does allow the release of patient information in the event of emergencies. So, the families and loved ones of these injured patients in Orlando should not have had the added stress of fighting to discover their status after the tragedy occurred.

But what about more common, less crisis-oriented forms of communication that healthcare providers might use, such as email? Does HIPAA regulate the security of email communication on the Internet? Staying true to the convoluted language in HIPAA, the answer is both yes – and no.

HIPAA Background

In 1996, the U.S. Health Insurance Portability Accountability Act was passed. The law was originally intended to protect the right to insurance if you had a pre-existing condition after you lost your job. Security amendments were added until the bill became a patchwork of confusing policies that healthcare providers and patients are still struggling to understand.

The benefit of HIPAA was that the law sought to establish consistency between the states related to patient privacy rules. HIPAA was passed during a time when healthcare providers were moving to electronic medical records (EMRs) with information transmitted via the cloud. It attempted to standardize how healthcare providers handled Protected Health Information (PHI) including technical, administrative, and physical rules in medical facilities.

Some of those rules affected the technology hospitals and healthcare providers use, including how they protect data from prying eyes when using the Internet.

What is Encryption and Why Does it Matter?

Encryption takes regular message text and encodes it through a computer algorithm. It is one of the best methods for ensuring only the person intended to receive the message will be able to read it.

Encryption works via keys that issue long random passwords. While the person at the other end of the message has the key to unlock the data, others do not. Most data that flows over the Internet, including chats, phone calls, and search engine activity are not encrypted.

ComputerWorldsays that encryption remains the most secure way to transfer information across the public or private Internet. TechRepublic agrees with this finding, listing encryption in their top ten security measures all businesses and individuals should pursue to secure valuable personal information.

According to the HIPAA Journal, the rules for email encryption include:

The HIPAA Security Rule does not prohibit the sending of ePHI via email, although any data sent via an open network must be appropriately secured and controls implemented to prevent unauthorized access (See 45 CFR § 164.312(e)).

While the law doesn’t specifically specify encryption as the security required, it does state that the technology protocol used by the healthcare provider must protect the confidentiality of patient data. It also states, that if you don’t use encryption, you better find an alternative – and document your rationale for not using encryption protocols.

Because medical providers use email that travels across open Internet networks in different ways, there is no single standard for encrypting data. The law suggests mandating an encryption standard could have presented a real financial burden on smaller, independent medical practices.

However, the law indicates encryption must be implemented if the medical entity can provide it. If the provider decides encryption is not “reasonable and appropriate,” the reason why must be documented and a reasonable alternative for protecting patient data must be implemented.

What Could Happen Without Email Encryption

In March 2017, BJC HealthCare in St. Louis found out the hard way that email encryption is a vital security measure in healthcare. More than 600 patients in a local program sponsored by BJC had their contact information along with nursing notes and medication data exposed. That’s because BJC failed to follow their own internal security protocols that would have encrypted the data, keeping it safe from public eyes.